Week 9 - Networking and APIs

Introduction to Networking

Client Server Model

TCP/IP Protocol

HTTP Protocol

URL Format

Web APIs

API Testing Tools

Using APIs

AI Responsible Use

Practice

Assignment

• Teachers

Back to core program

What are Web APIs?

An API stands for Application Programming Interface. A Web API is implemented by a web application server through which it makes it services available to client applications.

Think of an API as a menu in a restaurant, and the web server is the kitchen.

• The menu (API) tells you exactly what you can order (the available resources/data) and how to order it (the specific URLs and HTTP methods).
• You (e.g., your JavaScript application) are the customer placing the order.
• The kitchen (Web Server) processes your request and sends back a response (your food/data).

A Web API (or Web Service API) is simply an API that is accessible over the HTTP protocol, the same protocol used for viewing websites. It allows different software applications to communicate with each other over the internet.

Public vs Private APIs

There are 2 different types of APIs: public and private APIs.

An API is public when software companies publish parts of their software to be freely used by developers from the outside world. If you were to integrate the Facebook API as a login system in your application, you would be using their API as a public API.

Conversely, there are also private APIs: software companies that grant access to parts of their backend applications to internal developers only, in order to develop new services to be used either internally or for the outside world.

In reality, there are way more private than public APIs. This is because it's usually in the company's best interest to keep their code base hidden from the public eye: it would be like giving your secret recipe away for free.

Keep this in mind: in the real world programming is only a means to serving a business end. In this course you're learning how to program, to make nice-looking, well-functioning applications. However, this is always done within a business context. This is to say: does this software lead to making more money/gaining more popularity/or the achievement of any other business goal?

Important API Concepts

The Core Purpose: Communication

The primary goal of a Web API is to allow a client (like your JavaScript application) to access data or trigger actions on a remote server.

• Example: A weather app (client) calls the OpenWeatherMap API (server) to get the forecast data for a city. The server handles the complex data collection and sends back a clean, structured result.

Standardized Exchange: Request and Response

Web API communication is always a two-part standardized cycle:

• A URL (the address of the resource).
• An HTTP Method (the action to perform: GET, POST, etc.).
• Headers (metadata like authorization and content type).
• An optional Body (for POST/PUT data). | | 2. The Response | Server sends data back to Client | The server processes the request and sends back a response, which contains:
• A Status Code (e.g., 200 OK, 404 Not Found).
• Headers (metadata about the response).
• A Body (the requested data, usually in JSON format). |

The Standard Data Format: JSON

Nowadays, the vast majority of modern Web APIs use JSON (JavaScript Object Notation) as the format for exchanging data in the request and response bodies. (Before JSON took over, another format called XML was commonly used on the web.)

JSON is a human-readable, lightweight format that is native to JavaScript, making it the perfect choice for API development and consumption using tools like fetch.

Example of a JSON Response Body:

{
  "user_id": 101,
  "first_name": "Alex",
  "is_active": true,
  "orders": [
    { "id": 5001, "item": "Widget" },
    { "id": 5002, "item": "Gadget" }
  ]
}

REST (Representational State Transfer)

When you hear the term web API, it is almost always referring to a RESTful API.

• REST is an architectural style (a set of design principles) for building Web APIs.
• A RESTful API uses standard HTTP methods (GET, POST, PUT, DELETE) and structured URLs to manage resources.
• The key principle: The API treats data as resources that can be identified by a URI (URL) and acted upon using the standard HTTP methods.

Specific URLs at which an API responds to HTTP requests are called endpoints. The table below gives an example of the endpoints of a RESTful API.

Basic Security

When working with Web APIs, you will very often be dealing with data that should not be publicly available: user profiles, payment details, private messages, internal business data, and more. To protect this data, APIs use a few common security mechanisms.

Authentication vs Authorization

When working with Web APIs, it is important to distinguish authentication from authorization:

• Authentication = Who are you?

  Verifies the identity of the caller.

  Example: Logging in with a password or OAuth and receiving a token.

• Authorization = What are you allowed to do?

  Checks which actions and resources that identity may access.

  Example: A user can read their own profile but not someone else’s.

In practice, the server first authenticates the client (for example, via a token), and then authorizes or denies each specific request based on that client’s permissions.

Authentication tokens

Most modern APIs require the client to prove who is making the request.

Instead of sending a username and password with every request, the client sends an authentication token.

• A token is a long, random-looking string that represents a logged-in user or an application.
• The token is usually sent in the Authorization header, for example:

GET /profile HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

• On the server, the token is checked. If it is valid and not expired, the request is allowed.
• If the token is missing or invalid, the server typically responds with 401 Unauthorized.

<aside> ❗

You should never hard‑code real tokens into your frontend code or commit them to Git.

</aside>

API keys

An API key is another kind of secret that identifies which application is calling the API.

• It is often used to:
  • Track usage per application.
  • Limit abuse (for example, from badly written clients or bots).
• API keys are usually sent in a header or as a query parameter, for example:

GET /weather?city=Amsterdam&apikey=YOUR_API_KEY

or

GET /weather?city=Amsterdam HTTP/1.1
x-api-key: YOUR_API_KEY

<aside> ❗

</aside>

Rate limits

To prevent abuse and to protect their servers, many APIs apply rate limiting.

• A rate limit defines how many requests a client can make in a given period of time.
• If the client sends too many requests, the API returns 429 Too Many Requests.
• Sometimes the API also returns headers telling you how many requests you have left, for example:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1703858400

When you build applications that call APIs, you should:

• Avoid unnecessary repeated calls (cache results where possible).
• Handle 429 responses gracefully (for example, by waiting and retrying after some time).
• Be aware that using API keys or tokens from multiple places can make you hit the limit faster.

Additional Resources

Videos:

• https://youtu.be/bxuYDT-BWaI?si=Ck6uGLEUgQNXzSzq
• https://youtu.be/-mN3VyJuCjM?si=BUtO6IfUnntHgogr